* Request's sender is set to the token's issuer's public key if
it's impersonated. Thus, token's user assertion must be fixed;
* Add unit-test: check impersonated token but set user with `ForUser`.
Change-Id: I5e299947761e237b1b4b339cf2d1278ef518239d
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* APE-overrides are optional for bearer. So, it should validate only set override;
* Bearer can set overrides for containers, not only the one container - validation
expects for any target type for set override. Basically, APE-overrides for all
container must be set for namespace target;
* Add unit-test cases to check bearer token validation.
Change-Id: I6b8e19eb73d24f8cd8799bf99b6c551287da67d9
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* The bearer token must always be validated, regardless of whether it has been impersonated;
* Fix unit-tests for tree service which check verification with bearer token.
Close#1721
Change-Id: I5f715c498ae10b2e758244e60b8f21849328a04f
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
Allows updating the list of public keys authorized to invoke
'Tree service' operations without restarting the node.
Change-Id: I01b6e05875b7ae3f3218062eb12bf9755e87f2a3
Signed-off-by: Alexander Chuprov <a.chuprov@yadro.com>
* Make `verifyClient`, `checkAPE` receive `treeID` from request body;
* Make `newAPERequest` set `$Tree:ID` property
* Add unit-test to check if a rule for `$Tree:ID` works
Close#1701
Change-Id: I834fed366e8adfd4b5c07bf50aac09af6239991b
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
* Update version within go.mod;
* Fix deprecated frostfs-api-go/v2 package and use frostfs-sdk-go/api
instead.
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
In some places we have debug=false, in others debug=true.
Let's be consistent.
Semantic patch:
```
@@
@@
-test.NewLogger(..., false)
+test.NewLogger(..., true)
```
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
* Use DeletionInfo method from morph client to check if
the container has been really removed from neo-go
Signed-off-by: Airat Arifullin a.arifullin@yadro.com
Make it store its internal `zap.Logger`'s level. Also, make all the
components to accept internal `logger.Logger` instead of `zap.Logger`; it
will simplify future refactor.
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
1. Do not require a request to be signed by the container owner if a
bearer token is missing
2. Do not check the system role since public requests are not expected to
be signed by IR or a container node (unlike the object requests)
Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
